HTTPS and Tor: Working Together to Protect Your Privacy and Security Online

HTTPS and Tor: Working Together to Protect Your Privacy and Security Online

This week EFF released a new version its HTTPS Everywhere extension for the Firefox browser and debuted a beta version of the extension for Chrome. EFF frequently recommends that Internet users who are concerned about protecting their anonymity and security online use HTTPS Everywhere, which encrypts your communications with many websites, in conjunction with Tor, which helps to protect your anonymity online. But the best security comes from being an informed user who understands how these tools work together to protect your privacy against potential eavesdroppers.

Whenever you read your email, or update your Facebook page, or check your bank statement, there are dozens of points at which potential adversaries can intercept your Internet traffic. By using Tor to anonymize your traffic and HTTPS to encrypt it, you gain considerable protection, most notably against eavesdroppers on your wifi network and eavesdroppers on the network between you and the site you are accessing. But these tools have important limitations: your ISP and the website you are visiting still see some identifying information about you, which could be made available to a lawyer with a subpoena or a policeman with a warrant.

Protecting your security and anonymity against real-time government wiretapping is considerably more difficult. In a country where ISPs are controlled by the government or vulnerable to government bullying, Internet users should be especially aware of what kinds of information is still visible to ISPs and may be subject to government surveillance. To a lesser degree, websites may be subject to the same kinds of government bullying and may be compelled to give up information about their customers.

Finally, government agencies with particularly vast resources, such as the NSA, may be able to circumvent the protection provided by Tor through what is known as the “Global Network Adversary” attack. If the Global Network Adversary (GNA) controls the relay through which you enter the Tor network and the relay through which you exit, the GNA can correlate the size and timing of your traffic to identify you on the Tor network. In this scenario, the GNA will have the origin and destination of your traffic, but if you are using HTTPS, they will not be able to read the content. You can help combat the GNA by running a Tor relay, adding to the strength and diversity of the Tor network.

EFF has put together an interactive graphic to explain the ways in which HTTPS and Tor work together to provide you with certain kinds of protection against a variety of potential adversaries. Click on the image to try it out.

Related Updates

A fight over unmasking an anonymous Reddit commenter has turned into a significant win for online speech and fair use. A federal court has affirmed the right to share copyrighted material for criticism and commentary, and shot down arguments that Internet users from outside the United States can’t...

Coin Center’s Peter Van Valkenburgh published a report exploring the potential Constitutional concerns should aggressive regulators attempt to crack down on the coders developing ideas for cryptocurrencies and decentralized exchanges. For long-time readers of the EFF blog, some of these ideas will seem familiar. EFF has been asserting that publishing...

A bill introduced in Texas threatens the free speech rights of 28 million residents by making it easier to bring frivolous lawsuits against speakers and to harass or intimidate them into silence. EFF has long been concerned about these types of lawsuits, called Strategic Lawsuits Against Public Participation, or SLAPPs...

The Texas Supreme Court upheld protections for anonymous online speakers in a January ruling, albeit in a way that sidestepped thorny legal questions but will likely have the effect of vindicating First Amendment rights going forward. The case, Glassdoor, Inc. v. Andra Group, concerned an effort by clothing...

A lawsuit filed in New York federal court last week against the creator of the “Shitty Media Men” list and its anonymous contributors exemplifies how individuals often misuse the court system to unmask anonymous speakers and chill their speech. That’s why we’re watching this case closely, and we’re prepared...

Facebook has a problem: an infestation of undercover cops. Despite the social platform’s explicit rules that the use of fake profiles by anyone—police included—is a violation of terms of service, the issue proliferates. While the scope is difficult to measure, EFF has identified scores of agencies who maintain policies that...

The leak investigation involving a Senate staffer and a New York Times reporter raises significant issues about journalists, digital security, and the ability of journalists to protect confidential sources. The New York Times recently revealed that the FBI had been investigating a former aide to the Senate Intelligence Committee...

People in marginalized communities who are targets of persecution and violence—from the Rohingya in Burma to Native Americans in North Dakota—are using social media to tell their stories, but finding that their voices are being silenced online. This is the tragic and unjust consequence of content moderation policies...

Update (February 15, 2018): The California Supreme Court denied Yelp's request to depublish the lower court's opinion.
In recent months, we’ve seen worrying decisions in state and federal courts that weaken the First Amendment protection for anonymous speech. Last week, EFF called on the California Supreme Court...

Requiring public universities to ban access to anonymous online speech platforms would undermine activism occurring on those campuses and violate the First Amendment, EFF argued in a brief filed on Thursday.
Plaintiffs in the case, Feminist Majority Foundation et al. v. University of Mary Washington, claim that university officials...